password management applications

Some customers of CBS Corp. (CBS)’s Last.fm music site and EHarmony Inc.’s dating site had passwords stolen.

eHarmony, the “No 1 Most Trusted Dating Site,” stores the personal details of millions in the USA, UK, Australia, Canada and Brazil. The dating website was founded in 2000 and is based in Santa Monica, California. Over 500 people in the U.S. get married because of the site every day. 1.5million of eHarmony’s 20million-plus users have had their passwords hacked.

“After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected,” wrote eHarmony’sBecky Teroka. eHarmony has reset the passwords for those with compromised accounts. At least 420 of the passwords in this list contained the strings “harmony” or “eharmony.” These hashes found on the list do not contain the corresponding login names, making it impossible for anyone to use them to gain access to a particular user’s account.

“The security of our customers’ information is extremely important to us, and we do not take this situation lightly. After investigating reports of compromised passwords, we have found that a small fraction of our user base has been affected. We are continuing to investigate but would like to provide the following actions we are taking to protect our members. we have reset affected members passwords. Those members will receive an email with instructions on how to reset their passwords.

[They then list the usual password advice most companies try to provide to customers]

Last.fm is a British-based social music website that launched in London before being purchased by US media giant CBS in 2007. On Thursday, Last.fm, which recommends music to users based on the songs they already listen to, warned its website visitors to change their passwords after a leak which may have resulted from a hacking attack. Last.fm, with almost 40 million users, will update customers on the status of the breach through its Twitter account, Luke Fredberg, director of international corporate communications for owner CBS in London.

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

Following the attack on LinkedIn’s password, the company has higher security standards including “hashing and salting of our current password databases,“ wrote Vicente Silveira, LinkedIn’s director in LinkedIn’s blog. The company locked down and protected the accounts associated with the decoded passwords, invalidated them, that were at the greatest risk. LinkedIn members are being contacted by LinkedIn with instructions on how to reset their passwords.

Affected members will receive an email with instructions on how to reset their passwords; current passwords will not work. They will receive an email with more information on what happened.The company did not confirm how many passwords were involved, it reportedly affected about 6 million of LinkedIn’s 161 million users. LinkedIn has “a broad cross-functional team” working on resolving the password-breach problem and associated security concerns. The company is also in contact with FBI.

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

Many sources are posting today about LinkedIn passwords that potentially leaked online from about 5% users (6.5 million out of 150 million LinkedIn users worldwide). A hacker has leaked 118 Mb file of the hashed passwords to a Russian forum. Fellow hackers have begun to decrypt the hash. The forum is currently offline. It looks as though some of the weaker 300,000 passwords may have been cracked already. LinkedIn fails to find evidence so far of password leak. The passwords are encrypted with the SHA-1 cryptographic hash function, used in SSL and TLS. Here are LinkedIn’s responses:

To be safe, Change your LinkedIn password ASAP. As always it’s better to be safe about these things. It’s also unclear if the hackers got hold of LinkedIn usernames.

1. To change your LinkedIn password, log onto your account.

2. Click on your name in the upper right corner and then click on the link for Settings.

3. In the Settings section, click on the Change link next to Password.

In other news, LinkedIn’s iOS app potentially violates user privacy by sending detailed calendar entries to its servers. According to LinkedIn’s mobile app head Joff Redfern:

In order to provide our calendar service to those who choose to use it, we need to send information about your calendar events to our servers so we can match people with LinkedIn profiles. That information is sent securely over SSL and we never share or store your calendar information.

In an effort to make that algorithm for matching people with profiles increasingly smarter we pull the complete calendar event, including email addresses of people you are meeting with, meeting subject, location and meeting notes.

The company has already promised that it will no longer pick up meeting notes from your calendar and add a “learn more” link to explain how your calendar data is being used.

###

PortalGuard is a context based authentication platform focused on enhancing usability, while maintaining a balance between security, auditing and compliance.

Joseph Bonneau, PhD, University of Cambridge, analyzed the password strength of 70 million Yahoo users. The data was protected using hashing (a security technique), which ensured that he did not have access to the individuals’ accounts. He was then able to measure and calculate relative strength of passwords across various demographics. Password strength is measured in bits, where cracking one bit is equivalent to the chance of correctly calling a fair coin toss and each additional bit doubles the password’s strength. These are interesting (if not unexpected) results.

* People over the age of 55 pick passwords double the strength of those chosen by people under 25 years old. German and Korean speakers choose the strongest passwords. Indonesians pick the weakest.

* People who change their password from time to time tend to select the strongest ones.

* People with a credit card stored on their account do little to increase their security other than avoiding weak passwords such as 123456. This had no effect on whether the password associated with the card would be stronger.

* The average password would take only 1,000 random attempts before it was guessed. A randomly chosen six-character password composed of digits and upper and lower case letters should offer 32 bits of security. People often pick much easier passwords than those theoretically allowed.

* People who have the strongest passwords are also in the same category as people who change their passwords occasionally.

How can businesses use this information?

One pointer Bonneau’s research discussed was that businesses should make users pick tougher passcodes, for instance, assigning people randomly chosen nine-digit numbers (the length of a phone number). Each character of that 9 digit “telephone” password has 10 possible values. This means there are only 10^9 = 1,000,000,000 (0.001 trillion) possible passwords. This would also create WAY too many forgotten passwords which causes Help Desk calls and productivity losses.

We, here at PortalGuard, had a thought that a much better approach is to encourage “pass phrases.” Using “my dog has fleas” is MUCH easier to remember and constraining the example to only allow spaces and lower case ASCII characters results in a purely random* password “space” of:

for a 16 character phrase (note: 26 letters + space = 27). Obviously, this pass phrase is also MUCH more difficult to crack.

* – We used “purely random” to simplify the math since some letters occur more frequently than others. The “actual” password space would be lower than that number, but still multiple orders of magnitude greater than the phone number example.